How to Create a Wildcard SSL Certificate for Multiple Subdomains Using OpenSSL


1 views

When managing a server like myserver.net with multiple subdomains (a.myserver.net, b.myserver.net), creating individual SSL certificates for each subdomain becomes tedious. OpenSSL's default configuration only allows one Common Name (CN) per certificate, which seems limiting for this scenario.

The solution is to create a wildcard certificate that covers all subdomains under your main domain. This is achieved using Subject Alternative Names (SANs) in the certificate.

Here's how to create a wildcard SSL certificate with OpenSSL:

# Create a configuration file (san.cnf)
cat > san.cnf << EOF
[req]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[req_distinguished_name]
countryName                = US
stateOrProvinceName        = California
localityName               = San Francisco
organizationName           = My Company
commonName                 = *.myserver.net

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.myserver.net
DNS.2 = myserver.net
EOF

# Generate private key and CSR
openssl req -new -nodes -newkey rsa:2048 -keyout wildcard.key -out wildcard.csr -config san.cnf

# Generate self-signed certificate
openssl x509 -req -days 365 -in wildcard.csr -signkey wildcard.key -out wildcard.crt -extensions req_ext -extfile san.cnf
  • commonName: Set to *.myserver.net for wildcard coverage
  • subjectAltName: Includes both wildcard and base domain
  • DNS entries: Explicitly list all covered domains

For production environments, you'll want to:

  1. Get this CSR signed by a trusted CA instead of self-signing
  2. Consider using Let's Encrypt for free wildcard certificates
  3. Set appropriate file permissions on your private key

After setting up your web server with the certificate, verify it works for all subdomains:

openssl x509 -in wildcard.crt -text -noout | grep -A 1 "Subject Alternative Name"

Managing separate SSL certificates for each subdomain (a.myserver.net, b.myserver.net) becomes cumbersome as your infrastructure grows. The traditional approach requires:

  • Creating individual CSRs for each host
  • Maintaining multiple certificate files
  • Separate renewal processes

There are two effective solutions:

1. Wildcard Certificate Approach

This is the most straightforward method. Create a certificate valid for *.myserver.net:

openssl req -newkey rsa:2048 -nodes -keyout wildcard.key \
  -subj "/CN=*.myserver.net" -out wildcard.csr

openssl x509 -req -days 365 -in wildcard.csr \
  -signkey wildcard.key -out wildcard.crt

2. Subject Alternative Name (SAN) Certificate

For more granular control without wildcards:

cat > san.cnf <

When choosing between these approaches:





Factor
Wildcard
SAN




Security Scope
Broad
Precise




Maintenance
Simpler
More complex




New Subdomains
Automatic
Requires reissue





For Let's Encrypt wildcard certificates:


sudo certbot certonly --manual \
  --preferred-challenges=dns \
  -d *.myserver.net \
  --server https://acme-v02.api.letsencrypt.org/directory



Remember to set up proper DNS validation for wildcard certificates.


    

  • Always use 2048-bit or stronger RSA keys
    • 

  • Set appropriate certificate lifetimes (90 days max for Let's Encrypt)
    • 

  • Implement OCSP stapling for better performance
    • 

  • Use certificate transparency logs for monitoring
    •